by Fred Kaplan
One leak was the full, fifty-page catalogue of tools and techniques used by the elite hackers in the NSA’s Office of Tailored Access Operations. No American or British newspaper published that document, though Der Spiegel did, in its print and online editions. Fort Meade’s crown jewels were now scattered all over the global street, for interested parties everywhere to pick up. Even the material that no one published—and Snowden’s cache amounted to tens of thousands of highly classified documents—could have been perused by any foreign intelligence agency with skilled cyber units. If the NSA and its Russian, Chinese, Iranian, French, and Israeli variants could hack into one another’s computers, they could certainly hack into the computers of journalists, some of whom were less careful than others in guarding the cache. Once Snowden took his laptops out of the building in Oahu, its contents—encrypted or otherwise—were up for grabs.
But the leaks about foreign intelligence operations—the intercepts of email in Afghanistan and Pakistan, the TAO catalogue, and the like—were overshadowed, among American news readers, by the detailed accounts of domestic surveillance. It was these leaks that earned Snowden applause as a whistleblower and engulfed the NSA in a storm of controversy and protest unseen since the Church Committee hearings of the 1970s.
The Snowden papers unveiled a massive data-mining operation, more vast than any outsider had imagined. In effect, it was Keith Alexander’s metadata experiment at Fort Belvoir writ very large—the realization of his philosophy about big data: collect and store everything, so that you can go back and search for patterns and clues of an imminent attack; when you’re looking for a needle in a haystack, you need the whole haystack.
Under the surveillance system described in the Snowden documents, when the NSA found someone in contact with foreign terrorists, its analysts could go back and look at every phone number the suspect had called (and every number that had called the suspect) for the previous five years. The retrieval of all those associated numbers was called the first “hop.” To widen the probe, analysts could then look at all the numbers that those people had called (the second hop) and, in a third hop, the numbers that those people had called.
The math suggested, at least potentially, a staggering level of surveillance. Imagine someone who had dialed the number of a known al Qaeda member, and assume that this person had phoned 100 other people over the previous five years. That would mean the NSA could start tracking not only the suspect’s calls but also the calls of those 100 other people. If each of those people also called 100 people, the NSA—in the second hop—could track their calls, too, and that would put (100 times 100) 10,000 people on the agency’s screen. In the third hop, the analysts could trace the calls of those 10,000 people and the calls that they had made—or (10,000 times 100) 1 million people.
In other words, the active surveillance of a single terrorist suspect could put a million people, possibly a million Americans, under the agency’s watch. The revelation came as a shock, even to those who otherwise had few qualms about the occasional breach of personal privacy.
Following this disclosure, Keith Alexander gave several speeches and interviews, in which he emphasized that the NSA did not examine the contents of those calls or the names of the callers (that information was systematically excluded from the database) but rather only the metadata: the traffic patterns—which phone numbers called which other phone numbers—along with the dates, times, and durations of those calls.
But amid the dramatic news stories, an assurance from the director of the National Security Agency struck a weak chord: he might say that his agency didn’t listen to these phone calls, but many wondered why they should believe him.
The distrust deepened when Obama’s director of national intelligence, James Clapper, a retired Air Force lieutenant general and a veteran of various spy agencies, was caught in a lie. Back on March 12, three months before anyone had heard of metadata, PRISM, or Edward Snowden, Clapper testified at a public hearing of the Senate Select Committee on Intelligence. At one point, Senator Ron Wyden, Democrat from Oregon, asked him, “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”
Clapper replied, “No, sir . . . not wittingly.”
As a member of the select committee, Wyden had been read in on the NSA metadata program, so he knew that Clapper wasn’t telling the truth. The day before, he’d given Clapper’s office a heads-up on the question that he planned to ask. He knew that he’d be putting Clapper in a box: the correct answer to his question was “Yes,” but Clapper would have a hard time saying so without making headlines; so Wyden wanted to give the director a chance to formulate an answer that addressed the issue without revealing too much. He was surprised that Clapper dealt with it by simply lying. After the hearing, Wyden had an aide approach Clapper to ask if he’d like to revise and extend his reply for the record; again to Wyden’s surprise, Clapper declined. Wyden couldn’t say anything further in public without violating his own pledge to keep quiet about high-level secrets, so he let the matter rest.
Then came the Snowden revelations, which prompted many to reexamine that exchange. On June 9, the first Sunday after the Snowden leaks were published, Clapper agreed to an interview with NBC-TV’s Andrea Mitchell. She asked him why he’d answered Wyden’s question the way he did.
Clapper came off as astonishingly unprepared. “I thought, though in retrospect, I was asked ‘when are you going to . . . stop beating your wife’ kind of question, which is . . . not answered necessarily by a simple yes or no,” he began in an incoherent ramble. Then, digging himself still deeper in the hole, he said, “So, I responded in what I thought was the most truthful—or least untruthful—manner by saying, ‘No.’ ”
Doubling down, Clapper homed in on Wyden’s use of the word “collect,” as in, “Did the NSA collect any type of data . . . on millions of Americans?” Imagine, Clapper said, a vast library of books containing vast amounts of data on every American. “To me,” he went on, “collection of U.S. persons’ data would mean taking the book off the shelf and opening it up and reading it.” Therefore, he reasoned, it wasn’t quite a lie to say that the NSA did not collect data on Americans, at least not wittingly.
The morning after the broadcast, Clapper called his old friend Ken Minihan, the former NSA director, to ask how he did. Minihan was now managing director of the Paladin Capital Group, which invested in cyber security technology firms worldwide: he’d been out of government for more than a decade, but he kept up his contacts throughout the intelligence world; he still had both feet in the game, and he’d watched Clapper’s interview in sorrow.
“Well,” Minihan replied, in his folksy drawl, “you couldn’t have made things any worse.”
Clapper might have been genuinely perplexed. Five years earlier, the FISA Court had allowed the NSA to redefine “collection” in exactly the way Clapper had done on national television—as the retrieval of data that had already been scooped up and stored. At the time of that ruling, Alexander was laying the foundations of his metadata program; it was illegal to “collect” data from Americans, so the program couldn’t have gone forward without redefining the term.
But the FISA Court was a secret body: it met in secret; its cases were heard in secret; its rulings were classified Top Secret. To Clapper and other veterans of the intelligence community, this reworking of a common English word had insinuated its way into official parlance. To anyone outside the walls, the logic seemed disingenuous at best. Clearly, to collect meant to gather, to sweep up, to bring together. No one would say, “I’m going to collect The Great Gatsby from my bookshelf and read it,” nor did it seem plausible that anyone in the NSA would say, “I’m going to collect this phone conversation from my archive and insert it in my database.”
The NSA had basked in total secrecy for so long, from the moment of its inception, that its denizens tended to lose touch with the outside world. In part, its isolation was a product of its mandate: making and breaking c
odes in the interest of national security ranked among the most sensitive and secretive tasks in all government. Yet the insularity left them without defenses when the bubble was suddenly pierced. They’d had no training or experience in dealing with the public. And as the secrets in Snowden’s documents were splashed on front-page headlines and cable newscasts day after jaw-dropping day, the trust in the nation’s largest, most intrusive intelligence agency—a trust that had never been more than tenuous—began to crumble.
Opinion polls weren’t the only place where the agency took a beating. The lashes were also felt, and more damagingly so, in the agitated statements and angry phone calls from corporate America—in particular, the telecoms and Internet providers, whose networks and servers the NSA had been piggybacking for years, in some cases decades.
This arrangement had been, for many firms, mutually beneficial. As recently as 2009, after the Chinese launched a major cyber attack against Google, stealing the firm’s source-code software, the crown jewels of any Internet company, the NSA’s Information Assurance Directorate helped repair the damage. One year earlier, after the U.S. Air Force rejected Microsoft’s XP operating system on the grounds that it was riddled with security flaws, the directorate helped the firm design XP Service Pack 3, one of the company’s most successful systems, which Air Force technicians (and many consumers) deemed secure straight out of the box.
Yet now with their complicity laid bare for all to see, the executives of these corporations backed away, some howling in protest, like Captain Renault, the Vichy official in the film Casablanca who pronounced himself “shocked, shocked to find that gambling is going on in here,” just as the croupier delivered his winnings for the night. Their fear was that customers in the global marketplace would stop buying their software, suspecting that it was riddled with back doors for NSA intrusion. As Howard Charney, senior vice president of Cisco, a company that had done frequent business with the NSA, told one journalist, the Snowden revelations were “besmirching the reputation of companies of U.S. origin around the world.”
Allied governments around the world were clamoring as well. The English-speaking nations that had been sharing intelligence with the United States for decades—the fellow “five-eyes” countries, Great Britain, Canada, Australia, and New Zealand—held firm. But other state leaders, who had not been let into the club, started slipping away. President Obama had planned to rally European leaders in his pressure campaign against China—which had launched cyber attacks on a lot of their companies, too—but his hopes were dashed when a Snowden document revealed that the NSA had once hacked German chancellor Angela Merkel’s cell phone. Merkel was outraged.
There was more than a trace of Captain Renault in her fuming, too; as subsequent news stories revealed, the BND, Germany’s security service, continued to cooperate with the NSA in monitoring suspected terrorist groups. But at the time, Merkel played populist, as vast swaths of the German people, including many who had once seen America as a protector and friend, started likening the NSA to Stasi, the extremely intrusive surveillance service of the long-imploded East German dictatorship. Other Snowden documents exposed NSA intercepts in Central and South America, infuriating leaders and citizens in the Western Hemisphere, as well.
Something had to be done; the stench—political, economic, and diplomatic—had to be contained. So President Obama did what many of his predecessors had done in the face of crises: he appointed a blue-ribbon commission.
CHAPTER 14
* * *
“THE FIVE GUYS REPORT”
ON August 9, 2013, a hot, humid Friday, shortly after three in the afternoon, the laziest hour in the dreariest month for news in the nation’s capital, President Obama held a press conference in the East Room of the White House to announce that he was forming “a high-level group of outside experts” to review the charges of abuse in NSA surveillance.
“If you are outside of the intelligence community, if you are the ordinary person and you start seeing a bunch of headlines saying U.S. Big Brother is looking down on you, collecting telephone records, etc., well, understandably,” he said, “people would be concerned. I would be concerned too, if I wasn’t inside the government.” But Obama was inside the government, at its apex, and he’d developed a trust in the agencies’ propriety. Of course, he acknowledged, “it’s not enough for me, as President, to have confidence in these programs. The American people need to have confidence in them as well.”
And that, he seemed to be saying, would be the mission of this high-level group of outside experts: not so much to recommend major reforms or even to conduct a particularly hard-hitting probe, but rather, as he put it, to “consider how we can maintain the trust of the people.” He would also work with Congress to “improve the public’s confidence in the oversight conducted by the Foreign Intelligence Surveillance Court.” Both efforts would be “designed to ensure that the American people can trust” that the intelligence agencies’ actions were “in line with our interests and our values.” The high-level group, or the select intelligence committees of Congress, might come up with ways “to jigger slightly” the balance between national security and privacy, and that was fine. “If there are some additional things that we can do to build that trust back up,” Obama said, “then we should do them.” But he seemed to assume that big changes wouldn’t be necessary. “I am comfortable that the program currently is not being abused,” he said. “The question is, how do I make the American people more comfortable?”
That same day, as if to seal the case, the Obama administration published a twenty-three-page “white paper,” outlining the legal rationale for the bulk collection of metadata from Americans’ telephone calls, and the NSA issued its own seven-page memorandum, explaining the program’s purpose and constraints.
Already, by this time, Obama, White House chief of staff Denis McDonough, and Susan Rice, his first-term U.N. ambassador who’d recently replaced Tom Donilon as national security adviser, had mulled over possible candidates for the outside group of experts. A few days before the press conference, they chose five, asked them to serve, and, upon getting their consent, ordered the FBI to expedite security-clearance reviews for each.
It wasn’t entirely an outside, or independent, group. All five were old friends or former aides of President Obama. Still, it was a more disparate and intriguing bunch than his press conference led many skeptics to expect.
Michael Morell was the establishment pick, a thirty-three-year veteran of the CIA, who had just retired two months earlier as the agency’s deputy director and who’d been the main point of contact between Langley and the White House during the secret raid on Osama bin Laden’s lair in Pakistan. Morell’s presence on the panel would go some distance toward placating the intelligence community.
Two of the choices were colleagues of Obama from his days, in the 1990s, teaching at the University of Chicago Law School. One of them, Cass Sunstein, had also worked on his presidential campaign, served for three years as the chief administrator of his regulatory office, and was married to Samantha Power, his long-standing foreign policy aide, who had recently replaced Susan Rice as U.N. ambassador. An unconventional thinker on issues ranging from the First Amendment to animal rights, Sunstein had written an academic paper in 2008, proposing that government agencies infiltrate the social networks of extremist groups and post messages to undermine their conspiracy theories; some critics of Obama’s panel took this paper as a sign that Sunstein was well disposed to NSA domestic surveillance.
The other Chicagoan, Geoffrey Stone, had been dean of the law school when Obama taught there. A prominent member of the ACLU’s national advisory council and the author of highly lauded books on the First Amendment in wartime and on excessive secrecy in the national security establishment, Stone seemed a likely critic of NSA abuses.
Peter Swire, a professor of law at the Georgia Institute of Technology, was a longtime proponent of privacy on the Internet and author of a landmark essay on surveilla
nce law. As the White House counsel on privacy during Bill Clinton’s presidency, Swire played a key role in the debate over the Clipper Chip, arguing against the NSA’s attempt—which he, correctly, saw as futile—to put a clamp on commercial encryption. A couple years later, also on privacy grounds, he argued against Richard Clarke’s ill-fated plan to put critical-infrastructure industries on a separate Internet and to wire them so that, in the event of a security breach, the FBI would be directly alerted.
For that reason, Swire was nervous to learn that the fifth member of the Review Group would be Richard Clarke himself. The former White House official who’d immersed himself in NSA practices, written presidential directives on cyber security, and built a reputation as relentless in promoting his own views and in quashing those of others, Clarke was seen as a wild card generally.
Still the consummate operator, Clarke had made a huge splash since quitting the Bush White House on the eve of the Iraq War. One year after the invasion, he gained unlikely fame as an American folk hero at the 9/11 Commission’s nationally televised hearings, prefacing his testimony with an apology. “To the loved ones of the victims of 9/11, to them who are here in this room, to those who are watching on television,” he began, “your government failed you. Those entrusted with protecting you failed you. And I failed you. We tried hard, but that doesn’t matter because we failed. And for that failure, I would ask, once all the facts are out, for your understanding and for your forgiveness.”
It seemed to be a genuine plea of contrition—enhanced by the fact that no other Bush official, past or present, had apologized for anything—and the hearing room erupted with applause. After his testimony, family members of victims lined up to thank him, shake his hand, and hug him.