Snowden’s Pardon Fantasy

NSA Complex, Fort Meade, MD.

September 22, 2016 | Posted in 4th Amendment, Al-Qaeda, Classified Information, Department of Defense, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, Leaks, NSA, President Obama, Russia, Snowden, Terrorism | By

In recent days, in the run-up to the release of an Oliver Stone helmed movie about him and his self-admitted theft of secrets from NSA and subsequent flight to China and then Russia, Edward Snowden has stated that he believes he deserves a presidential pardon for his crimes.

He bases this on a belief that, “If not for these disclosures, if not for these revelations, we would be worse off,” and goes on to say that a pardon would be appropriate, “…for the exceptions, for the things that may seem unlawful in letters on a page but when we look at them morally, when we look at them ethically, and when we look at the results, it seems obvious that these were necessary things,”. Both these quotes come from a CNN article that cites an interview in The Guardian.

Estimates reported by news outlets vary, but he allegedly stole approximately 1.5 million classified documents from NSA’s internal networks, far more material than anyone could have possibly needed to demonstrate alleged malfeasance and abuse by the government. According to NBC and Defense One, he did so by using computer passwords and credentials belonging to a civilian employee of NSA, a member of the military, and an NSA contractor to hide his criminal acts – in other words, he acted as a thief and con man to gain access to as much classified material as he could before he fled to China, and Russia – two great bastions of freedom and personal privacy.

Much has been made in various media outlets of the alleged impropriety, illegality, or unconstitutionality of NSA’s foreign intelligence efforts, both within the U.S. and abroad. However, after extensive public debate, the most controversial tools that concerned U.S. citizens remain in NSA’s toolbox, one of them, the ‘Section 215’ program, retooled by Congress and the Obama administration to ally the public’s concerns about potential overreach or misuse, but not halt it.

Moreover, NSA’s extensive efforts to preserve and protect the privacy rights of U.S. citizens is now documented the Director of National Intelligence’s ‘IC on the Record’ pages on Tubmlr. Thousands of now declassified documents that demonstrate how the government worked within the constitutional and complex legal framework set up to protect U.S. citizen privacy rights during the conduct of NSA’s SIGINT operations – controls that have been in place since at least 1980.

With regard to Mr. Snowden’s assertion that we “…look at the results…” of his actions to see that his pardon is warranted, we can do that. The report from the DoD Information Review Task Force-2 (IRTF-2) Initial assessment in December of 2013, titled ‘Impact Resulting from the Compromise of Classified material by a Former NSA Contractor’, said in its overall assessment that, “The IRTF-2 assesses with high confidence that the information compromise by a former NSA contractor….will have a GRAVE impact on U.S. national defense.”

In January 2015, Al-Qaeda created a YouTube video after the Snowden leaks teaching its operatives how to evade what the terrorists referred to somewhat erroneously as ‘FBI Secret Spying technology’. In May of 2015, the Henry Jackson Society, a conservative British think-tank published a 78-page report that drew heavily from the testimony from senior security sources outlining how terror groups had changed their communications methods and began more extensive use of encryption to hide terrorist operations from intelligence agencies. A July 2015 report in the New York Times also reported the Islamic State learning communications security from the Snowden leaks.

More recently, a Wall Street Journal article discussed how an Islamic State terrorist who led the November 13th terror attacks in Paris, evaded western intelligence agencies using better operational discipline and technical savvy in his communications. An awareness of which Mr. Snowden’s leaks undoubtedly raised, given the previous reporting.

The results of Mr. Snowden’s theft and leaks are pretty clear to my mind. Operating from a misguided sense of superiority and a flawed and incomplete understanding of the extensive U.S. person privacy protections in place within the intelligence community more broadly, and NSA in particular; he elected himself congressman, attorney general, and judge of a process and an oversight regime he initially tried to cheat his way into, and then barely had three months of experience in as a contractor (I’ll bet none of that is in the movie).

President Obama believes Snowden should stand trial, and so do I.

Read More →

USSID 18 & Your Privacy

NSA Complex, Fort Meade, MD.

July 27, 2014 | Posted in 4th Amendment, Department of Defense, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, Leaks, NSA, PPD-28, Privacy, Snowden, U.S. Code Title 50 | By

NSA Complex, Fort Meade, MD.

NSA Complex, Fort Meade, MD.

Over the last year, some media outlets have used the leaked classified material from Edward Snowden to write news stories that imply NSA has either: allegedly violated the privacy rights of ‘every American’ or exceeded its authorities.  In every one of these stories, what is usually missing is a SIGINT professional’s level of understanding on the part of the journalist, admittedly difficult to gain when SIGINT operational training is classified.

Signals intelligence, referred to as SIGINT, is both technically complex due to the nature of modern communications technologies, and legally complex, due to the heavy legal and Constitutional burdens placed on the professionals at NSA who conduct it.

These professionals spend months and oftentimes years during a career training in the operational, technical, and legal aspects of conducting SIGINT – which includes training in the protection of U.S. person privacy.

For example, a recent Washington Post article on July 11th, ‘How 160,000 intercepted communications led to our latest NSA story’; written to amplify its July 5th story ‘Non-targets far outnumber targets in NSA data collection’, states that the rules for ‘minimization’ of U.S. person information are ‘opaque’ – in fact, they are not opaque at all.

The minimization rules come in two forms, both of which are written in black and white for anyone to read, now that they have been declassified.  They are contained in the Foreign Intelligence Surveillance Court’s minimization instructions as part of its numerous court rulings, and United States Signals Intelligence Directive 18 (USSID 18).   USSIDs provide implementation guidance and direction to NSA’s civilian and military workforce, ensuring our Constitutional principles, current laws, Executive Orders, and binding court orders are implemented and enforced within the entire United States SIGINT System.  For the purposes of this blog post, we’ll focus on USSID 18.

USSID 18 is titled, “Legal Compliance and U.S. Persons Minimization Procedures”, and is fifty-two pages long.  Naturally, portions of many paragraphs are blanked out as part of the declassification process, but the direction in, and intent of USSID 18 are very clear, and I can tell you from my experience in the intelligence community that it is binding and followed by all SIGINT professionals.

Discussing all the limits USSID 18 places on SIGINT operations would take several blog posts worth of space, but we can look at one instance where USSID 18 applies in the Washington Post’s July 5th story.

The Post’s story states that, in the sample of surveillance files it reviewed, ‘NSA analysts masked, or “minimized,” more than 65,000 [references to U.S. citizens or residents], but the Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S. residents.’  This line is clearly meant to bolster the implication that U.S. person identities or identifiers incidentally collected under the legally authorized, and court monitored FISA Amendments Act (the Patriot Act) Section 702 program are not properly minimized.

If this element of the Post’s story is accurate, that translates to a 98.7% accuracy rate (based on (900 / 65,900) x 100) of minimization, as required under USSID 18 – an operational standard that many U.S. corporations would envy.  The Post didn’t word it that way, but it is example of how the professionals at NSA take protection of U.S. person privacy seriously, rather than supporting the Post’s implication that NSA treats U.S. person data in a cavalier manner.

The Post’s explanatory piece on the 11th also expresses its concern about the volume and nature of incidental collection, the Director of National Intelligence’s assertion that it is unable to estimate how many Americans are affected, and that no outside watchdog – the Congress, courts, or the President’s Privacy and Civil Liberties Oversight Board have access to the content to judge for themselves.

The reason for this is obvious to a professional.  Although the Post could traipse at will through its purported pile of 160,000 intercepts (reviewing U.S. citizen’s private information under the comforting blanket of the 1st Amendment) – the government cannot legally look through incidental collection to identify and characterize it because laws, and both executive and court orders forbid it.  Laws and orders every American citizen, including those working at NSA, must obey.

At this stage of the debate, I had hoped to see stories covering how NSA adheres to law and policy to conduct their assigned foreign intelligence mission, using background interviews with NSA’s professionals and managers in a more transparent environment. Instead, we continue to see stories from some members of the media filled with a selected set of ‘facts’ provided by a man charged with theft and violations of the espionage act, filtered through well-intended, but only partially educated journalist guesswork, resulting in implications or insinuations of impropriety or illegality.  There is more to the story than just what Mr. Snowden, or the journalists who support him, would have you believe.

Read More →

Congress is not Transparent Enough About its Intelligence Oversight

IMG_0187

July 10, 2014 | Posted in Congress, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, U.S. Code Title 50 | By

IMG_0187When you get a chance, please read my latest Op-Ed in the Baltimore Sun.

Congress is not transparent enough about its intelligence oversight

Please feel free to contact me with your comments using the e-mail address in the tag line at the end of the piece.  We live in a free society and I respect any point of view that you may have, so long as you express it in a civil manner.

Thanks to all who have already sent me comments.  I’ve enjoyed reading them, and I am doing my best to respond to all of them individually.  Also, I’d like to thank Tricia Bishop and the other members of the Sun’s Editorial Board who thought this Op-Ed was worth publishing.

Read More →

Clemency for Snowden? Not likely.

NSA Complex, Fort Meade, MD.

January 26, 2014 | Posted in Classified Information, Department of Defense, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, NSA, President Obama, Snowden, Terrorism, U.S. Code Title 18 | By

NSA Complex, Fort Meade, MD.

NSA Complex, Fort Meade, MD.

The editorial boards of the New York Times and Washington Post, a handful of members of Congress and others in the general public will undoubtedly continue to advocate for the extension of clemency for Mr. Snowden.  The reasons why he will not be receiving clemency are pretty clear to me.

THE CHARGES

Let’s review what he’s charged with (you can read the criminal complaint filed with the court yourself).  Bear in mind that this is likely only the initial set of charges.  They could be amended once he’s in custody and a fuller understanding of his actions and activities is known (charges of misuse of government computer and telecommunications systems, etc.).

Snowden is charged with:

  • Theft of Government Property  –  18 U.S.C. Section 641
  • Unauthorized Communication of National Defense Information  – 18 U.S.C. 793(d)
  • Willful Communication of Classified Communications Intelligence Information to an Unauthorized Person – 18 U.S.C. 798(a) (3)

 

HOW MANY COUNTS & THE PENALTY IF CONVICTED

One of the things missing so far is the number of counts for each of these charges.  Something the government may amend the compliant to include once Mr. Snowden is in custody or been arraigned.  Statements by various NSA officials to the media have provided the following numbers to consider:  1.7 million documents stolen.  200,000 of those leaked to journalists so far.  In briefly perusing the 2013 Federal Sentencing guidelines, for just one conviction of violating 18 U.S.C 793(d) or 18 U.S.C. 798(a)(3), the minimum sentence is between seven and nine years.

Even if we assume the best case, and the government treats the entire theft of 1.7 million documents as one theft, and the communication of the information to Mr. Greenwald and Ms. Poitras are treated as two counts of unauthorized communication of National Defense Information, and two counts of Willful Communication of Classified Communications Intelligence Information; Mr. Snowden is looking at between 35 and 45 years in prison, aside from whatever fines the court may impose.

Worst case, the government chooses to make a point with Mr. Snowden’s case, and they charge him with just 10 counts each (out of a possible 1.7 million thefts and 200,000 unauthorized and willful communications).  Do the math for 10 counts on each charge and that’s 210 to 270 years in prison.

 

THE GOVERNMENT’S POSITION

Any hope that some in Congress, the public, and the media may have that Mr. Snowden will be given clemency should be tempered by the following statements:

President Obama – “…I will say that our nation’s defense depends in part on the fidelity of those entrusted with our nation’s secrets. If any individual who objects to government policy can take it into their own hands to publicly disclose classified information, then we will not be able to keep our people safe, or conduct foreign policy. Moreover, the sensational way in which these disclosures have come out has often shed more heat than light, while revealing methods to our adversaries that could impact our operations in ways that we may not fully understand for years to come.”

Attorney General Holder – “We’ve always indicated that the notion of clemency isn’t something that we were willing to consider. Instead, were he coming back to the U.S. to enter a plea, we would engage with his lawyers.

FBI Director Comey – “I have trouble applying the ‘whistle-blower’ label to someone who just disagrees with the way our country is structured and operates,

Senator Feinstein – “I think the answer is no clemency,” she said, adding that he should be prosecuted.

 

A CRIMINAL NOT A WHISTLEBLOWER

What Mr. Snowden continues to fail to understand is something the President pointed out in his speech, and that FBI Director Comey pointed to in his remark quoted above.

“What I did not do is stop these programs wholesale — not only because I felt that they made us more secure, but also because nothing in that initial review, and nothing that I have learned since, indicated that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens.” – President Obama

You can’t ‘blow the whistle’ on a program that is implemented under a law Congress passed, the President signed, and that the Courts oversaw in concert with Congress.   Should Congressional Oversight have been tighter?  From what I’ve seen in the open hearings, there is a reasonable argument to made there.  Should legislators and the Courts keep better pace in all areas of law regarding the rapid advances in telecommunications technology and related privacy issues? There is a case for that too.

Did those changes need to be fomented by a series of media sensationalized, unauthorized leaks of classified material describing lawful activities by the intelligence community where no evidence of willful abuse had occurred?  Leaks that damaged diplomatic relations with our allies and other friendly nations?  Leaks that have, according to members of the intelligence committees, caused terrorists to change their communications methods and potentially exposed military operations, increasing the risk to our military service members at home and abroad?   Leaks that will in all likelihood continue because ‘journalists’ like Mr. Greenwald and Ms. Poitras care more about selling stories than they do about the safety and security of American, allied, and friendly nation’s citizens throughout the world?  No, it did not.

Mr. Snowden could (and should) have gone to the NSA Inspector General, or the Director of National Intelligence’s Inspector General, or the Department of Defense’s Complaint Hotline for classified complaints.   He also could have made a complaint to the FBI or Attorney General’s Office, or his company’s security office or leadership.  If all of those failed, he could have gone to Congress himself with his concerns.  Oversight committees LOVE to investigate potentially unlawful acts by the executive branch, and moreover, it’s their job to do so.

Instead, Snowden chose to steal 1.7 million classified documents and shared at least 200,000 of them (so far) with two members of the media, then made sure everyone knew he did it as soon as possible, so he could rise from obscurity, and show everyone that he really did know better than the collective wisdom of the members of Congress, the 15 judges on the FISA Court, and the administrations of two Presidents.  Moreover, real whistle blowers have the courage to stand up and be counted, even if they must stand in a courtroom to do it.   They don’t run away to a foreign nation to avoid the consequences of their actions, afraid of punishment for their criminal activities before the charges are even filed.

Read More →

Are we living in a surveillance state?

odni-circle

December 15, 2013 | Posted in 4th Amendment, Director of National Intelligence, E.O. 12333, FBI, FISA, FISC, Intelligence, Law Enforcement, NSA, Privacy, U.S. Code Title 10, U.S. Code Title 50 | By

Absolutely not.  A odni-circlenation where every move of every American citizen is recorded, cataloged and data based by the government runs counter to the privacy rights each citizen of the United States expects, and would be an abhorrent infringement upon one of the principle freedoms of our democracy.  Protecting those rights is something I swore to do as a member of the intelligence community, and was required to do as a civil servant and uniformed member of the armed forces.

In light of the ‘Snowden revelations’ and the plethora of news stories (few of those stories entirely accurate and not jaundiced by sensationalism), many Americans are concerned about invasions of their privacy by the government.  I share those concerns, but mine are tempered by the testimony offered before the House and Senate Intelligence and Judiciary committees, the declassified documents posted on the IConTheRecord tumbler site, and my own professional experiences within the intelligence community.

Much like the majority of the 100,000+ members of the intelligence community, I have a lifetime obligation to protect the classified material I’ve been exposed to.  I understand the valid reasons for that secrecy, and I respect them.  I was also made fully aware early in my career of the myriad of mechanisms in place to report perceived illegal or improper acts, from IG reporting through classified channels to include arranging closed door testimony before the relevant Congressional committees if needed.  For the record, in my more than twenty-five years in the intelligence community, I never encountered any instance of willful or intentional misuse of the tools, capabilities, or authorities any of my colleagues or I operated under, had access to, or could utilize.  Certainly honest errors were made, as they would be in any human endeavor, and those errors were reported through the proper mechanisms, and corrected.

At this point, let me point out some of the facts now available for every citizen to evaluate when deciding for themselves if the government is violating your privacy rights, and temper that with a few other thoughts.  Using just the FISA 215 program as an example, all of what follows is either from declassified documentation/information released by the ODNI, or provided as testimony on public session in front of the intelligence or judiciary committees by the senior leaders of the intelligence community.  See the ODNI’s IC on the Record website for the details on the FISA 702 program.

The FISA 215 Program

  • Gathers and centralizes at NSA, telephone call records from various U.S. telecommunications companies
  • The telephone companies are compelled to provide the information to the government by a FISA Court order
  • The FISA Court approves the orders based on the law and precedent (e.g. Smith v. Maryland, the FISA Law Congress passed twice, etc.) subsequent to receiving an application for the order by the government (usually the FBI, after coordination with the NSA, ODNI, and the National Security branch of the DoJ)
  • The FISA Court requires the government to store, access, and utilize the call records obtained under the order in a specific manner outlined by the Court, and report all deviations from those orders
  • The only records provided to the government by the telephone companies are:

               Calling Number

               Called Number

               Date & Time of the Call

               Duration of the Call

  • For example: Phone number 203-555-1212 called phone number 203-555-1414 at 0900 on the 10 Oct 2012 and the call lasted 10 minutes
  • No names, no addresses, or other identifying information is provided by the telephone companies under the FISA Court’s order
  • The content of conversations are not collected under this program – other warrants are required to collect content, and NSA says it currently has only 60 active warrants for content collection against U.S. persons
  • Searches of the call records under this authority can only be conducted with a ‘seed phone number’ that can be reasonably and articulately described, in writing, as being terrorism related
  • The written articulation must be signed off on by an NSA manager (an intelligence professional, not a political appointee) before a query is run against the records in the database
  • ALL queries of the database are recorded, tracked, and audited to ensure the FISA Court’s instructions are not violated
  • The returned call records meeting the intelligence need (i.e. not all of the returned records) are turned over to the FBI for any follow-up action
  • If the government wishes to wiretap any number based on the call records NSA provides, it must apply to the appropriate court for a warrant

Laws, Executive Orders, and Congressional Oversight

The United States intelligence community operates under several enabling laws, Executive Orders from the President, and Congressional Oversight.   These laws, orders, and oversight apply to every intelligence program conducted by the United States government. Some of the most notable of these are, USC Title 10, USC Title 50, Executive Order 12333, the Foreign Intelligence Surveillance Act of 1978 (as amended), and the oversight of the Senate Permanent Select Committee on Intelligence, the House Permanent Select Committee on Intelligence, and the Senate and House Committees on the Judiciary.  Within the SIGINT system specifically, the primary instruction for the protection of U.S. citizen’s 4th Amendment rights is outlined in USSID 18.

USSID 18

The recently declassified United States SIGINT Intelligence Directive (USSID) 18, Legal Compliance and U.S. Persons Minimization Procedures, dated 25 January 2011, describes the U.S. person privacy protections all elements of the NSA are obligated and required to follow.  Paragraphs 1.1 – 1.4 show that U.S. person privacy protections required by the 4th Amendment were in place long before Mr. Snowden’s massive leaks of classified material made the subject of U.S. person privacy a daily staple of newspaper front pages and legitimate public concern.  USSID 18 has been in existence since at least 1993.  In addition, the ODNI has made the training materials used by NSA to teach their analysts what is allowed and what is not allowed when dealing with FISA 215 data available for you to see.

Corporate America is ‘Spying’ on You All the Time – And you let them

Every time you make a purchase at a store, they know what you buy, and how often.  That frequent shoppers card you use at the checkout ties you to every item on your shopping list – vegetables, meats, shampoos, bakery products, gluten free items, condoms, feminine hygiene items, etc.  How many, which brands, how often, and which charge card you used.  Think about the ‘pattern of life’ information that offers the company that owns that store about you and your family.  You even surrendered it willingly.    Companies use the information to target advertising, sending you e-mails and paper circulars featuring the products you buy most often using a process called data mining.  You may not mind that, but what else are they using it for?  Reporting to the FDA about how much red meat a family consumes in a year?  How far you travel to get to the store?  How many times a week you go?  At what times of day?  If you have children and how old they are?  Are you under a doctor’s care or do you have an annoying hemorrhoid problem?   The list is practically endless.

Your credit card company shares your purchasing habits with marketing companies.  They may offer you the option to opt out, but I recently received a notice from one of my credit card companies telling me that they shared my personal information and purchase history with eight other companies, only offering me the opportunity to ‘opt out’ of the sharing with two of those companies.

How many video or still cameras did you appear on today as you went about your ‘private’ business?   Did you even notice them?  Did you notice the ones in every store you walk into, each ATM you passed, and the cell phone everyone you passed on the street was carrying?  How many of those cell phone captured videos or still images were forwarded to a friend, lover, relative, or business colleague by the shutterbug/videographer?  Do you know that there is a copy of that video or image on the telecommunication’s company’s servers or systems?  Do you know how long it stays there or what is done with it?  Are they kept for hours or years?  By whom?  How and where are they stored?  Are they ever deleted?  How can you be sure?

Oh, and those private phone calls you make, or e-mails you send?  The telecommunications companies can mine those records as needed to improve their infrastructure, determine what services to market, or even re-direct your communications through the network.  In doing so, do to the technical sophistication of today’s communications networks, the e-mail from your wife or husband in Cleveland, OH, just may have been routed through Vladivostok, Russia, where a copy was left on a server in Russia.  Are the Russian security services scanning that e-mail for information it might find of interest?  Do you honestly think they care about your privacy as a U.S. citizen?  Maybe they think that picture of your significant other in her new Victoria’s Secret undies is pretty hot and keep a few copies.

Internal to these companies, what are the company’s restrictions or policies on which employees can access, review or share that information?  Do those employees go through any kind of background check before they are hired?  What kind of oversight is there on the use or access to the data?

Just Who Might be Invading Your Privacy – The U.S. Government, a Corporation, or a Foreign Government?

Should we be reasonably concerned about U.S. Government overreach and invasion of privacy?  Yes.  It’s our government and we should keep an eye on it.  But I’m less concerned about the U.S. intelligence community’s activities than I am about a telecommunications provider (especially a foreign one) or foreign government’s respect for ‘privacy’ as we perceive it.

In the U.S., the intelligence community’s motivations, codified in both law and executive order, and overseen by Congress and the Courts, is at least grounded in a desire to preserve, protect, and defend the Constitution and the nation.  The professionals in that community undergo deep background checks, polygraph examinations, and in many cases, submit to financial disclosure requirements and psychiatric examinations before being exposed to intelligence operations or activities that may impact a U.S. person’s privacy in the modern digital age.  Moreover, they seem, based on the information released by the ODNI, to be rigorously trained to protect the 4th Amendment rights of U.S. persons, and there is at least one directive in place at NSA that requires that U.S. person privacy is protected.

Corporations (U.S. or foreign) are motivated by a desire to make a profit for their shareholders, and they never have to go to a judge for a warrant to see data that might invade someone’s privacy.  They also don’t have Congress and the Courts looking over their shoulder to be sure they aren’t using ‘private’ data to profile a person’s life, purchasing habits, or travel.

Foreign governments may not care at all about your privacy.  France just passed a surveillance law that, according to the story in the NYT, “…defines the conditions under which intelligence agencies may gain access to or record telephone conversations, emails, Internet activity, personal location data and other electronic communications.  The law provides for no judicial oversight and allows electronic surveillance for a broad range of purposes, including “national security,” the protection of France’s “scientific and economic potential” and prevention of “terrorism” or “criminality.””

Mr. Inglis, Deputy Director of NSA, made a statement during a Q&A session at Penn Law’s Center for Ethics and the Rule of Law Conference that I think is very relevant.  He based it on the number of NSA employees and affiliates who have died since 9/11 and the twelve internally reported ‘willful abuses’ during the conduct of its SIGINT operations – “… it’s three times more likely that you’ll die for your country if you work for NSA than you are to abuse the [U.S. SIGINT] system.”

For myself, while I accept that there is always room to improve a process, law, and oversight; I put more trust in the professionals in the U.S. intelligence community, the laws and policies that govern their activities, the internal controls, and the oversight mechanisms in place in the courts and congress when it comes to protecting my 4th Amendment rights.

 

Read More →

NSA, Privacy, and Mr. Snowden

NSA Complex, Fort Meade, MD.

November 3, 2013 | Posted in 4th Amendment, Director of National Intelligence, E.O. 12333, FISA, FISC, Intelligence, Leaks, NSA | By

NSA Complex, Fort Meade, MD.

NSA Complex, Fort Meade, MD.

Over the last week, Mr. James Clapper (US Air Force, Lieutenant General, Retired) Director of National Intelligence, General Alexander, Director of NSA and Commander of US Cyber Command, Mr. Chris Inglis, Deputy Director of the NSA, and Mr. James Cole, Deputy Attorney General, DOJ testified before the House Permanent Select Committee on Intelligence, as more news stories about NSA, GCHQ, and foreign partner intelligence operations were reported by the media, and Mr. Snowden asked for clemency and the opportunity to testify before Congress.

First of all, I urge you to watch the past week’s testimony on C-Span’s website.  In my opinion, it’s informative and straightforward, and far better than any of the news reporting I saw about it.

On Sunday, the White House, and the chairs of the Senate Select Committee on Intelligence, and the HPSCI all agreed that there would be no clemency for Mr. Snowden.   I will point out that Mr. Snowden’s request does seem to indicate that he is guilty of the crimes he is charged with, since you wouldn’t ask for clemency to avoid or mitigate a criminal penalty unless you felt you would be found guilty.

Let’s talk about privacy for a minute.  Privacy is a right that every U.S. citizen expects, as do most people in modern nations with educated populaces operating in a modern telecommunications environment.  The testimony last Tuesday re-affirmed that the mission of the NSA is the production of foreign intelligence from SIGINT, which does not include the invasion of U.S. citizen’s privacy without a court order or warrant.  It also highlighted that NSA’s mission (like all the other U.S. intelligence agencies) is driven by foreign intelligence requirements issued from the White House and the President’s national security staff in the form of the National Intelligence Priorities Framework (NIPF).  Further, that the NSA’s mission is conducted in accordance with US law, and where U.S citizen’s privacy rights are concerned, with the added protections of oversight by the Office of the Director of National Intelligence, the Department of Justice, and the FISA Court.

In case you think I don’t know what I’m talking about, you can find out for yourself.  Do a little research of your own into the legal authorities for the missions of the intelligence community.  Read Executive Order 12333, and USC Title 50, Chapters 36 (FISA), 45 (Intelligence Community Authorities), 46 (CIA), 47 (NSA), and the Intelligence Community Directives (ICD) available on the Director of National Intelligence’s website.  All of these require adherence to the U.S. Constitution’s Fourth Amendment protections against unreasonable search and seizure.

As for the on-going concerns expressed in the media of gross intentional violations of U.S. citizen’s privacy, I believe they are unfounded, based on the NSA’s now declassified internal reporting and the declassified legal opinions now available on the FISA Court and ICONTHERECORD web sites.  For those that harbor concerns about the telephone metadata collection, read the posted court opinions and other material yourself.  As you do so, remember two things: the call records were provided to NSA under a series of court orders applied for by the DOJ, under a law repeatedly approved by Congress.   We also know now that those orders cited long standing Supreme Court precedent and placed specific controls on how the call data can be accessed and used.  Those controls were developed and directed by the FISA Court, across multiple judges’ tenures, based on the knowledge of the professionals at NSA and the experience of honest error that occurs in any process humans engage in.

General Alexander also made some remarks in Baltimore last week where he took the media to task for continuing to write articles from the classified material Mr. Snowden took, and for writing stories that were inaccurate and/or mischaracterized what they were reading in the material.   Personally, I wouldn’t want a journalist, not trained as a medical professional, looking at a set of power point slides or other internal hospital documents and then drawing a conclusion that every heart surgeon in that hospital was using improper technique and placing patient’s lives at risk – they just aren’t qualified to understand what they are looking at.  Intelligence activities operate (in the U.S.) under the U.S. Constitution, U.S. law, and all the policies and procedures each agency derives from them.  It is a complex professional environment that took me years during my career to truly master, and I assure you Mr. Snowden’s understanding of them, based on his statements and his alleged criminal acts, is sadly lacking.

I place much more weight on the statements of people like General Alexander, Mr. Inglis, and Mr. Cole; as well as people like Representative Rogers, Senator Feinstein, and many others on the relevant committees, particularly when they all resoundingly castigate Mr. Snowden for his apparent crimes, and demonstrate understanding and predominate agreement with these senior members of the intelligence community.  Mr. Cole alone effectively recused himself, as the Snowden matter is an on-going investigation/item of litigation and he cannot comment under the requirements of professional ethics.  As with any human endeavor, I’m sure there may be improvements to be made in the conduct of all intelligence operations, but those changes need to come from more Senators and Congressmen and women doing their ‘homework’ as Mr. Rogers put it during the hearing this week, not from a public debate on sources and methods that gives our nation’s adversaries the means to avoid U.S. intelligence scrutiny and places U.S. citizens, military members, diplomats, and our allies’ citizens in danger at home and abroad.

Moreover, I think you should keep something else in mind.  According to the official statements, there are more than 100,000 men and women in the intelligence community of the United States, and more than 30,000 men and women working for NSA.  Only one lone man, a systems administrator with no intelligence training to speak of, with an apparent surfeit of ego and naïveté, decided to steal and leak tens of thousands of classified documents to the media because he alone felt that illegal acts were being committed.  I find it difficult to believe, based on my own extensive experience working with the dedicated, trained professionals at NSA and the rest of the intelligence community that ANY of those people would be shy about speaking up if anything they were asked to do was outside the law or their assigned intelligence mission.

I am also sure they would use the proper channels to reach out to the NSA Inspector General, the National Security Division of the Department of Justice, and the relevant committees in Congress where their concerns would have been given fair hearing and extreme scrutiny, rather than risk the lives of American citizens, military members, and innocent people abroad by exposing classified sources and methods information.

As Congress debates changes to the FISA law, the need for increased transparency to assure an understandably concerned public, and some its members reexamine the vigor with which they make themselves aware of the on-going intelligence operations of the U.S. government, I have no doubt that whatever direction the President issues or oversight requirements or changes in law Congress puts in place will be obeyed faithfully by the intelligence community – just as they have over the years since 9/11.

Finally, I’m sure that certain elements of the press will continue to publish articles from the classified material Mr. Snowden provided them, just as I’m sure our Russian friends are doing their level best to learn everything they can from Mr. Snowden about his brief time in the U.S. intelligence community.  Remember, he can only stay in Russia for a year, and the extension of his stay is a very big carrot (and stick) to encourage him to talk.  Otherwise, he might find himself on the next plane out of Russia – to a courtroom in the United States in the company of some U.S. Marshals.

Read More →

Where Does Classified Information Come From?

White House Logo

September 29, 2013 | Posted in CIA, Classified Information, Department of Defense, Department of State, DIA, Director of National Intelligence, EO 13526, Intelligence, Leaks, NSA | By

White House Logo

White House Logo

Given the recent huge leaks of classified information by Mr. Snowden, and the large volume of press reporting resulting from it, I was struck by some of the comments by politicians and journalists about the ‘over classification’ of information by elements of the executive branch or the excessive amount of information classified by the United States government.

Since most Americans have no direct experience with generating or handling classified information as part of their daily lives, I thought I’d cover some of the basics of the subject and hopefully lend a little knowledge and background information as food for thought.

The first thing you should know is that the high level guidance for classifying information is not classified at all.  That’s right, the basic instructions and guidelines are completely unclassified and available to anyone if you do a little digging.  In fact, the guidance comes from the President as an Executive Order, which is binding on all executive branch departments and agencies, including all elements of the Defense Department (which includes the DIA and the NSA) and all sixteen agencies/elements of the Intelligence Community (the CIA, the Department of Energy, etc).

All of the recent Presidents: Regan, Bush, Clinton, Bush, and Obama have issued Executive Orders laying out the rules for determining what can be considered classified national security information, and in my experience, those rules have not substantially changed the basic guidelines or criteria for determining what information to classify.  They have altered the length of time information can remain classified, as well as some of the review timelines, but that’s about all.

The current Executive Order, EO 13256, entitled ‘Classified National Security Information’ was signed by Barack Obama on December 29, 2009 and remains in force.

In order to start classifying information, you need to know a few things:  What levels of classification are there, who is allowed to classify information, and what information should be classified.

Classification Levels

No surprises here, you’ve all heard or seen them in the movies, but I’m listing them along with the definitions because these are the only classification levels in use by the U.S. Government (unless some statute creates others) and the definitions are key to allowing a classification authority to make a decision about which level a piece of information should be classified at.

  • “Top Secret” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe
  • “Secret” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe
  • “Confidential” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe

A key takeaway here is the last phrase in each definition: ‘that the original classification authority is able to identify or describe’.  No parlor games or hidden items here.  The damage that may result has to be able to be identified and described in writing by the classifying authority, otherwise known as the Original Classification Authority.

Who Can Classify Information?

If you think any government official or employee of the government can classify information just to keep it from the public, you are misinformed or have made a poor assumption.  The real world is not what Hollywood or the more conspiracy minded among us might think.

EO 13256 establishes two classification authorities – Original Classification Authority and Derivative Classification Authority.

Original Classification Authorities (OCA) are the President, Vice President, Agency and Department heads designated by the President, and U.S. Government Officials delegated in writing.  These Officials are usually General Officers in the military or Senior Executive Service level civilians in the civil service, not front line worker bees or managers.  Once they have been trained (yes they Order requires that they be trained), an OCA can make decisions, in writing, about exactly what information their department or agency creates should be classified.  To make those decisions, they must apply and adhere to the criteria described in the President’s Order (more on that in a bit).  Out of the entire federal workforce of 2.2 million people in 2012, only 2,326 were OCA.

A Derivative Classification Authority (DCA) is one of those worker bees or managers in an organization or entity who might create a document, power point slide, or some other material that would need to be classified.  They work solely off the written decision of the OCA discussed earlier.  They do not get to decide what is classified at which level, they must follow the written guidance they have received from the OCA.

What Information Gets Classified?

Under the President’s Order, information can only be classified if it meets ALL of the following criteria:

  • An original classification authority is classifying the information
  • The information is owned by, produced by or for, or is under the control of the United States Government
  • The information falls within one or more of the categories of information listed in the order
  • The original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage.

Moreover, the Order also states that “If there is significant doubt about the need to classify information, it shall not be classified.”

The categories of information the Order allows an OCA to classify are:

  • Military plans, weapons systems, or operations
  • Foreign government information
  • Intelligence activities (including covert action), intelligence sources or methods, or cryptology
  • Foreign relations or foreign activities of the United States, including confidential sources
  • Scientific, technological, or economic matters relating to the national security
  • United States Government programs for safeguarding nuclear materials or facilities
  • Vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security
  • The development, production, or use of weapons of mass destruction

Note that under the order, you are not permitted to classify information for political purposes (i.e. claiming ‘national security’ when you are covering up a crime like Nixon did), to hide crimes or malfeasance, or simply because you don’t want to share information with the public.  In our system, it meets the criteria or it doesn’t get classified.

An Example

That’s quite a bit to take in quickly, so lets walk through a simplified practical example.  For the next five minutes, we’ll assume I’ve been appointed Secretary of Defense.  Consequent to my appointment, The President appoints me in writing as an OCA.

Soon after, the Commander of  Central Command walks into my office to inform me that he’s able to track the movements of the terrorist Usama bin Bad Guy.  Bad Guy calls his wife every day at noon to check in with her and he often tells her where he is, and CENTCOM has the ability to monitor the phone calls using NSA’s SIGINT capabilities.  Since Bad Guy is planning terrorist operations in Europe and the U.S., the CENTCOM Commander wants to capture or kill Bad Guy before he can carry out his plans.

Obviously, I need to give the Commander some guidance on classifying some important national security information.

First of all, does the information meet all four criteria?  Yes.  The President appointed me as an OCA, the information is produced and under the control of the U.S. Government (the DoD), it all falls within two of the categories of information that can be classified (military plans and operations and intelligence), and as the new Secretary of Defense, I’ve determined that disclosing the information may damage national security.

So here are the results of my classification decisions as an OCA, in writing for the CENTCOM Commander:

The fact that we can track Usama bin Bad Guy’s movements will be classified TOP SECRET

The fact that NSA & CENTCOM can monitor Usama bin Bad Guy’s phone calls will be classified TOP SECRET

Any information about Bad Guy’s terrorist plans in Europe or the U.S. will be classified SECRET

The CENTCOM operations to capture or kill Bad Guy will be classified TOP SECRET

This written listing forms the Classification Guide that CENTCOM and all other subordinate elements of the DoD will follow.  The practical effect of this is that all military and civilian personnel will now use this guide to exercise their Derivative Classification Authority under EO 13256 to classify any information about Bad Guy’s movements, the content of his phone calls, his evil plans for Europe and the U.S., and the CENTCOM operations to stop him.

Depending on how long Bad Guy keeps calling his wife, and CENTCOM takes to plan and execute operations to capture or kill Bad Guy, hundreds or thousands of documents containing classified information may be generated, from just this one activity alone.

How Many Classified Documents Are There?

According to the National Archives’ Information Security Oversight Office’s 2012 Annual Report, which covers all U.S. Government executive branch agencies, the 2,326 OCA’s made 73,477 original classification decisions.

The employees across the government who create and handle classified material made 95,180,243 derivative classification decisions during that year.  That seems like a large number, but given the proliferation of office automation technologies and computer networks, you need to remember than every e-mail, every word or power point document, or field or record in a database is counted because it was subject to a derivative classification decision.

Moreover, given the wording in the report, (i.e. decisions versus documents) you should remember that decisions themselves may not equate to just an individual ‘document’.  One derivative classification decision on a paragraph in a twenty page word document can result in twenty classified pages because of the procedures used when classifying the whole document.  Each classified page may be counted as one ‘classification decision’ based on the instructions issued by that organization to comply with the National Archives annual need.  Having been part of some of the counting that happens once a year, I can tell you that the number of decisions is a reasonable benchmark, but probably under counts the actual number of classified items (call them documents, pages, or whatever you like) created due to the counting method in use  and the usual bureaucratic processes in government.

Surprisingly, the Department of State made the most original classification decisions in FY 2012 – 39,770, while the Department of Defense only made 19,121.

Hopefully, you now have a better understanding of how classified information is generated by the government and why there is so much of it.

Read More →

Executive Order 12333 Amended

July 31, 2008 | Posted in CIA, DIA, Director of National Intelligence, E.O. 12333, EO 12333, Intelligence, NSA, U.S. Code Title 10, U.S. Code Title 50 | By

1357163342_6957_whitehouse-logoPresident Bush issued Executive Order 13470 yesterday. This order alters Executive Order 12333, UNITED STATES INTELLIGENCE ACTIVITIES.

EO 12333 is one of the documents used within the U.S. Intelligence Community (IC) to set policy, along with U.S. Law, the Constitution of the United States, and the Bill of Rights.

It sets out the President’s guidance for the management of the community, affirms the roles and responsibilities of various IC elements, and prescribes some specific prohibitions the IC and its employees must respect.

So what was changed? (The changes listed below do not reflect typographical, grammatical, or consistency related changes within the EO.)

Part 1 – “Goals, Directions, Duties, & Responsibilities with Respect to U.S. Intelligence Efforts” was completely re-written. The major effect of the re-write of Part I is to insert the Director of National Intelligence (DNI) into a position of more direct control over the IC. This re-write helps to codify the DNI’s authority and will hopefully cut down on any, “Yes you will.” “No I won’t.” situations between the DNI and the heads of the IC elements.

Part 2 – “Conduct of Intelligence Activities” was altered to include:

  • Changing Section 2.2 to include gathering foreign intelligence regarding “the spread of weapons of mass destruction.”
  • Changing Section 2.3 to ensure that signals intelligence (SIGINT) is only “disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.”
  • Changing Section 2.3.e to permit the collection, retention, and dissemination of information needed to protect foreign intelligence or counterintelligence activities.
  • Changing Section 2.5 to limit the delegation of the approval of the IC’s monitoring of a U.S. Person to that outlined in the FISA of 1978, as amended.
  • Adding a new section, 2.13, which states that, “No covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.”

Part 3 was altered to include:

  • Affirming the Attorney General’s (AG) Role in Approving Procedures Established by IC Element Heads that Implement the Procedures in Section 2 – Any Dispute Between the AG and the IC Element Head will be Resolved by the National Security Council
  • Providing current definitions of Counterintelligence, Covert Action, Electronic Surveillance, Employee, Foreign Intelligence, Intelligence, Intelligence Activities, the members of the IC, National Intelligence & Intelligence Related to National Security, and the National Intelligence Program

The prohibition against assassination remains in place, as well as the ban on human experimentation outside of the guidelines provided by the Department of Health and Human Services where the subject’s informed consent has been documented.

Read More →