The Snowden Operation
Page 4
The Snowdenistas' extremism and hyperbole reflect a mind-set which the blogger Catherine A Fitzpatrick has outlined well in her essay 'When Thinking Styles Collide'.57 She was actually writing about the geek world's attitude to anti-piracy legislation, but the points she makes also highlight the weakness of other self-described crusaders for digital freedom, who scorn the law-making process, and judicial and parliamentary oversight, as out-of-date or irrelevant in the digital age. Geeks, she says, do not 'get' governance.
They don't understand how a bill becomes a law and don't believe in the process;
They don't understand how cases get prosecuted and how evidence has to be presented and [how] the different parts of the judicial system operate … checks and balances;
They don't get how judicial review works to determine constitutionality.
The problem, she argues, is that tech-savvy people tend to look at laws as if they are computer code. In the software world, even a tiny flaw negates a hugely strong premise. Once a bad law is on the books, they believe, it will operate like bad software: mechanically, like a guillotine. So: 'unless every single edge-case, hypothetical, problem is identified, spelled out, and remedied, nothing can stand.'
That is not the way that a modern law-governed society works. Imperfections and hard cases abound. The art of politics and administration is balancing constraints and anomalies in a way that produces the least unfair or dangerous outcomes, now and in the future. That world is messy and sometimes murky. To the self-righteous and impatient it may seem impossible to change. But for all its faults, it is capable of correction. America recovered from the McCarthy era. The Church committee reined in an out-of-control FBI after the abuses discovered in the 1970s. The same is true in other Western countries.
Zealots such as Snowden prefer their own judgment to the outcomes that this flawed, slow, muddled system provides. It is their right to believe this and to act on it—within the law. But their form of protest takes the form of stealing and publishing state secrets, in a way that causes irreversible damage (impact, as they would put it). This is not an approach that would be tolerated in other forms of protest. Anti-nuclear activists may blockade power stations or weapons facilities. Even they would regard it as irresponsible to try to sabotage them, aiming to cause maximum damage, in the expectation that the resulting debate will outweigh the harm done.
Arbitrary power is the great grievance of the Snowden camp. Who gave the NSA and GCHQ the power to bug and snoop? The real answer to that is simple: the elected governments and leaders of those countries, the judges and lawmakers who have the constitutional authority to supervise intelligence services, and the directors of the agencies in the exercise of their lawful powers. You may not like the system. You may think it needs improving (I do). But never in the history of intelligence has supervision been stronger. America in particular stands out as a country that has taken the most elusive and lawless part of government and crammed it into a system of legislative and judicial oversight. Greenwald simply dismisses such arrangements. For those in search of reform, he argues, 'the answer definitely does not lie in the typical processes of democratic accountability that we are all taught to respect'.58 Instead, he thinks the answer lies in international pressure on America. Shame and destruction, not votes, laws and institutions, bring about reform.
The question about arbitrary power actually deserves to be posed in the other direction. What constitutional authority do the Guardian, Der Spiegel or the New York Times have? What gives them the right to leak their countries' most closely guarded secrets, obtained at vast expense, and with the sacrifice of tens of thousands of man-hours? Even the most passionate defenders of press freedom would hesitate to say that editors are the supreme guardians of the national interest. And even the most self-important editor would hesitate to claim omniscience. What expertise do editors and journalists have in handling these stolen secrets? How can they judge that a particular programme is worthy of exposure (rendering it useless overnight and perhaps endangering those who have worked on it) and that another can be spared the glare of publicity, at least for now and possibly ever?
The publication of secret documents, without context or challenge, has a pernicious effect on the debate that follows. As Inkster, the former British spymaster now at the International Institute for Strategic Studies in London, points out:
Not even the NSA knows for certain how much information Snowden actually stole. It is clear, however, that he could not possibly have read more than a fraction of this material. It is equally clear that he did not understand the significance of much of the material he did read and that the same was true for the newspapers that published it. The resulting confusion and misapprehensions that have taken hold within the media and shaped the public debate about the NSA's bulk collection activities have not been effectively challenged or rebutted by the US and UK governments for various reasons, chief among which has been a desire not to create a damaging precedent by responding to specific allegations regarding the activities of their intelligence agencies. 59
As far as can be inferred from Greenwald's public statements (he declined to respond to my requests for comment), his main aim is to make a splash. Asked how he chooses which material to release, and which to withhold, he answered:
We chose certain information we wouldn't disclose, eg what would help other states improve their surveillance, or anything that NSA has gathered about people (that would do the NSA's dirty work) or anything that would endanger the lives of innocent human beings. We want to publish in a way that will create the most powerful debate and greatest level of recognition.60
That is a striking claim. Who is Greenwald to decide who is 'innocent' and who is not? Are all employees of the NSA to be counted as 'guilty' of engaging in 'dirty work'? And everyone who cooperates with them? Or only some? And guilty of what? Is Greenwald the judge, jury and executioner of the careers of public servants who have operated within the law, at the behest of elected governments, and under the oversight of courts and lawmakers?
It is only a mild caricature to say that the presumption behind the leaks is that the intelligence agencies in the West are the greatest threat to freedom on the planet. As Inkster argues, 'for those who regard intelligence services as inherently illegitimate or take the view that the US is the world's number-one rogue actor, no counter-narrative will ever be convincing'. Such fears may be the basis for a thrilling screenplay in a Hollywood movie, where vast sinister forces are marshalled against a lone hero. But they are a poor guide to real life.
One of the overwhelming impressions left by the leaked documents is, in fact, of a painstaking approach to legality. The spies did not believe that what they wrote would ever become public. Like other bureaucrats, they trumpeted their achievements in the hope of scoring points and winning favour. That comes across sometimes as chirpy or crass. But nothing revealed shows contempt for judicial oversight or a wilful desire to evade it.61
The NSA and other agencies do try to work out what the maximum is that they can do within the limits of the law. In some cases, they overstep the mark and get slapped down, sometimes crossly, by the FISC or Congress; moreover, individual officers of the agencies may knowingly break the rules. But the fact that these breaches were recorded in internal agency documents (and in the case of individual wrongdoing, disciplined) bespeaks adherence to procedure, not a cover-up.
Moreover, to err is human: bureaucratic self-aggrandisement is common in other branches of government too. Police officers sometimes intimidate suspects, fake evidence or beat up protestors. Soldiers haze new recruits or commit war crimes. Teachers and social workers abuse their power. (Even journalists can be crooked, deceitful or brutal.) Intelligence officers make mistakes too. It is true that the powers that the agencies enjoy mean that they must be particularly vigilant against abuse. But the really striking thing about the revelations to date (which are presumably cherry-picked to portray the NSA and its allies in the worst possible light) is t
he conscientious, tame and bureaucratic approach they reveal. It is true that the FISA court turned down few requests from the NSA. But this does not prove that the court is toothless. It reflects the fact that the NSA itself vets its own requests to weed out those that are unlikely to gain approval.
The recklessness, damage, narcissism, and self-righteousness of the Snowden camp do not invalidate all their aims. A debate on the collection and warehousing of meta-data was overdue. Collected and scrutinised, meta-data can breach privacy: if you know who called a suicide prevention helpline, or an HIV testing service, or a phone-sex line, and from where and when, the content of the calls matter less than the circumstances. These collections of meta-data, it should be noted, are not only vulnerable to abuse by nosy spooks: they are available in colossal amounts to private sector internet companies, some of whom may protect them only lightly and use them with far greater freedom than a bureaucrat.
More importantly in my view, the Obama administration has treated whistleblowers with scandalous harshness, especially those from inside the intelligence community. The hardest point for critics of Snowden is to explain what he should have done with his worries had he chosen to stay within the system. Genuine whistleblowers such as Thomas Drake, a senior NSA analyst, who believed (rightly or wrongly) that they were exposing abuses within the agency, were hounded and prosecuted under laws which would be rightly applied to spies and traitors. They are now strong supporters of Snowden's chosen course of action.
The Snowden revelations have also exposed the fact that senior officials, particularly America's Director of National Intelligence, James Clapper, have not been fully frank with Congress. He was asked in an open Senate Intelligence Committee hearing in March: 'Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?' A correct response would have been to give a boilerplate answer: data and meta-data are collected within the law and further information would be available in a closed session. Instead he answered 'No Sir'; when that response was queried, he continued: 'Not wittingly … there are cases where they could inadvertently perhaps collect, but not wittingly.'62 In a strict sense that was true: phone records are not exactly 'data', and storing them for future scrutiny is not exactly 'collecting'. The members of the committee were aware of the programmes concerned, having been briefed on them in classified sessions. The question was, in a sense, a trap, aimed at bouncing Clapper into revealing more than he wanted. But for all that, as a member of the executive branch, he is under a solemn duty not to mislead the legislature—or to mislead citizens who are observing its questioning of their government officials. For whatever mixture of motives or confusion, he breached that duty. He apologised later, pleading confusion not deliberate deceit. Though charges that he 'perjured' himself or deliberately lied to Congress are an exaggeration, in his place I think I would have resigned.
Lawyerly definitions of terms such as 'data', 'collect' and 'abuse' have allowed the NSA to stretch its remit in a way that some may now regard in retrospect as excessive. But it has done so within the system, not outside it. NSA officials (like their counterparts in GCHQ and allied agencies) are not cowboys, brutes or madmen. They signed up to defend their country's freedoms, not to undermine them. They tend to be sober, law-abiding types with a punctilious regard for procedures. The dire state of their morale now is a result of Snowden's disclosures. The consequences remain to be seen. The dangers of abuse in a woe-struck agency may be greater than in one where morale and corporate culture are healthy.
One can argue (and I would agree) that the NSA needs reform, that it has become too big, too dependent on private contractors, too sloppy in its security procedures, too hard to oversee and too slippery in its definitions of what it may and may not do. All these shortcomings are cause for concern (though not for panic) and are worthy subjects for discussion. As General Clapper himself has admitted: 'As loath as I am to give any credit for what's happened, which is egregious, I think it's clear that some of the conversations that this has generated, some of the debate, actually probably needed to happen.'63
It is hard to dispute that the public should be aware that the NSA has stretched the definition of material 'relevant' to terrorism to include warehousing the phone records of every call made or e-mail sent in America, and that the agency has had serious rows with the FISA court. Thanks to Snowden, the public now knows this. The modest reforms announced by President Obama on January 17th are also a direct result of the Snowden leaks. But such benefits need to be weighed against the costs. Nothing evinced so far justifies the catastrophic damage that the Snowden leaks have done to national security—the worst disaster in the history of American and British intelligence.
Chapter Three: Damage Control
The mere whiff of a breach acts like nerve poison on intelligence agencies. If you lose even a single document, or believe an unauthorised person has had access to it, assumptions must be of worst-case scenarios. Assume that the Russians learn that an outwardly boring Irish insurance broker in the Ukrainian capital Kiev, for example, is actually an undercover officer of Britain's Secret Intelligence Service. What will they be able to do with that information? Will he be in danger? Will they able to find what agents he is running? If so, they must be brought out: they risk arrest. Maybe the agents are safe, but the operation cannot continue: in that case everyone involved must be stood down inconspicuously. What about colleagues? Safe houses? Dead-letter boxes? Another question is when the breach occurred. Can one be sure that this was the first instance? How solid is the 'product' (the intelligence obtained from the compromised network or individual)? Should it be assessed or analysed differently? Is it possible that the adversary used the breach to feed misleading information and then monitor the results? The answers to these questions may be 'no'. But an experienced team of counter-intelligence officers must ask them, find the answers, check and double-check. The taint of even a minor breach must be analysed, contained and cleaned.
If a single breach is a serious problem, two make a nightmare—particularly if the missing material comes from different bits of the organisation. Documents which may on their own be quite anodyne can be gravely damaging if they are combined. Revealing an intelligence officer's cover name may be no big deal. But combined with his previous travel, it could be the clue that gives the adversary details of an operation. Multiple breaches increase the problem exponentially. Each bit of compromised information must be assessed not only on its own, but in relation to every other piece of data. As the numbers mount, the maths becomes formidable. Four bits of information have 24 possible combinations. Seven have 5,040. Ten have more than three million. If Snowden has taken a million documents, the permutations that—in theory—need to be examined exceed the number of atoms in the universe.
Snowdenistas dispute claims of colossal damage. Foreign intelligence services in Russia or elsewhere do not and will not have access to the stolen material, they maintain. But dealing with secrets is a highly technical and complicated business. People build their careers on it. It requires elaborate procedures to store the information, to set and administer levels of access, to monitor who sees it, when, why and how, and particularly to authorise, log and track any copies made. It requires specially built premises, and staff who must be carefully recruited and trained and subjected to regular screening. The whole setup—with its physical, bureaucratic and human elements—involves regular checks, and possibly professional penetration tests, in which expert outsiders are tasked with trying to break the security systems. It is also designed to minimise the effects of any breach—for example by seeding the data with tell-tales (to highlight if it is being misused) or booby-traps (to act as a deterrent to malefactors). All of this takes place in the knowledge that the world's most sophisticated intelligence agencies regard other countries' secret data as a top priority.
Snowden's allies may be admirable journalists. But they do not have the experience or resources to protect the information he has stolen. Thei
r offices cannot be made safe against electronic eavesdropping. They do not know how to make their computers truly secure. The idea that the material is safe because it is encrypted is shockingly naïve: it is child's play for a sophisticated adversary to place malware on a computer, remotely and invisibly, which logs every key stroke, and records everything that appears on the screen. Such 'end-point vulnerabilities' render even the heaviest encryption pointless. They can be delivered via a mobile phone or through an internet connection (or by some other subtle and secret means). Snowden knows this. It is possible that someone with his technical skills could keep the stolen data secure on his own computers, at least for a time and if he does not switch them on. But that becomes ever less likely over time.
Security becomes outright impossible when the material is handled by a team of amateurs. How many people have access? Who has screened them? What are their vulnerabilities—financial and psychological? Does anyone check their bank accounts? Are any of them vulnerable to blackmail? Do they have any training in avoiding 'social-engineering' attacks (such as impersonation)? What about the use of force? What happens if someone becomes disillusioned and leaves the team? A shocking example of carelessness came when Greenwald's partner, David Miranda, was stopped while changing planes at London's Heathrow Airport in August. His luggage included a number of 'thumb' USB drives and electronic devices, carrying some of the Snowden trove (as well as, some reports say, a password, apparently written on a bit of paper). Any public official who carried secret data this way would be fired and then prosecuted. A similarly sackable offence would be sending secret material across international borders by a commercial courier company such as FedEx. The editor of the Guardian, Alan Rusbridger, admits that he did just this, and jokes about it on his Twitter profile.64 (Mr Rusbridger's defenders say that the material was heavily encrypted and that both the sender and receiver were third parties; he may feel that this ruse is fail-safe but security professionals would not.)