The damage to U.S. foreign policy has been both tactical and strategic. Tactical damage flows from the impact Snowden’s disclosures have had on U.S. relations with, and America’s reputation in, many countries, including allied and friendly nations. Strategic damage emerges from how the leaks strengthened U.S. adversaries and signaled that realpolitik, not Internet freedom, characterizes American behavior in cyberspace.
Rather than anything China or Russia did, U.S. actions exposed by Snowden drew attention to “third image” analysis, where the anarchical nature of the international system explains state behavior in cyberspace. Snowden’s leaks played into the hands of authoritarian rivals of the United States and hung an albatross around the neck of Internet freedom in U.S. foreign policy on cyberspace.
NSA Domestic Surveillance Activities
Comprehensively describing Snowden’s many disclosures is beyond this chapter’s scope. Identifying categories of leaks, however, can communicate the damage done by these disclosures to U.S. foreign policy. The first category involves disclosures that sparked domestic debates in the United States about NSA activities. The first of these leaks was the initial revelation Snowden made—exposure of the domestic telephone metadata program.15 Although this category of leaks is domestic, the foreign policy implications are serious.
The world watched the champion of global Internet freedom become embroiled in a domestic debate about individual rights and national security in the cyber age. Rather than showing the United States as a paragon of respect for civil and political rights and open democratic governance in cyberspace, Snowden’s leaks exposed the workings of a “secret court” rendering “secret case law” permitting the NSA to collect metadata on every American’s telephone calls, with secrecy laws blocking elected representatives from raising concerns. The intensity of arguments over whether the NSA’s domestic surveillance was legal only exacerbated the spectacle of the United States struggling with challenges cyber technologies create for the government’s national security responsibilities.
Let me be clear: The adverse international implications from U.S. political turmoil do not mean NSA domestic surveillance activities were illegal. Although many experts argued that the Foreign Intelligence Surveillance Act (FISA) did not authorize the telephone metadata program,16 most of those opposed to the NSA’s statutory interpretation do not believe the NSA perpetrated a Watergate-style abuse of power. Regarding constitutional law, U.S. federal district courts have, to date, rendered different opinions on whether the telephone metadata program violates the Fourth Amendment, another marker of the complexities of the U.S. legal issues.17
The back and forth between U.S. legal experts, however, has not mitigated the adverse consequences for U.S. foreign policy. The Obama administration’s argument that NSA domestic surveillance activities were legal has not been convincing, as demonstrated by the controversies Snowden’s leaks generated in the United States, controversies deepened by the conclusion of the Privacy and Civil Liberties Oversight Board (PCLOB) that the telephone metadata program was not legal.18 The administration’s retreat from, and eventual modification of, the telephone metadata program undermined prior assertions that the program was both vital for national security and compliant with U.S. law.19 To many outside the United States, the episode justified Snowden’s lawbreaking because it brought about something the U.S. government had not facilitated—an open, democratic deliberation on NSA domestic programs affecting the relationship between civil and political rights and national security in the cyber age.
NSA Electronic Surveillance Targeting Foreigners
The second category of leaks involves revelations about the NSA’s electronic surveillance against foreign persons outside the United States. This category includes the PRISM program operated under provisions added to FISA in 2008, particularly the addition of Section 702 to FISA.20 The 2008 FISA amendments generated controversy21 and litigation before Snowden, culminating in the U.S. Supreme Court’s decision in Clapper v. Amnesty International (2013) that the plaintiffs did not have standing to challenge the constitutionality of the FISA amendments.22
Despite this pre-existing context, revelations of NSA electronic surveillance of foreign nationals did not create the frenzy in the United States that news of the telephone metadata program sparked. For example, the PCLOB, which concluded that the domestic telephone metadata program was not legal, determined that surveillance of foreign nationals under Section 702 of FISA did not violate U.S. law.23 Much of the controversy in the United States about NSA surveillance under Section 702, both before and after Snowden, focused on the communications of U.S. persons incidentally collected in this surveillance. But the disclosures about PRISM and other large-scale surveillance programs targeting foreign nationals angered other countries, including traditional U.S. friends and allies, and created problems for U.S. foreign policy.
The scale and intensity of NSA electronic surveillance of cyber communications of foreigners surprised many people and revealed how the United States respected the privacy of foreigners less than the privacy of U.S. nationals. Reactions coalesced around efforts by offended countries, led by Germany and Brazil, to push in diplomatic venues, including the United Nations (UN), for governments to respect the international human right to privacy not only within but also beyond territorial borders.24 The United States was caught between its support of Internet freedom and universal respect for civil and political rights (including privacy) and the U.S. position that its obligations under human rights treaties, including the International Covenant on Civil and Political Rights (ICCPR),25 do not extend beyond U.S. borders.26
Other countries interpreted the U.S. stance to mean that American intelligence agencies could ignore the right to privacy in international law outside the United States on a massive scale, an awkward position given that Internet freedom was an American rallying cry for universal individual liberty in cyberspace. As happened with the domestic controversies over the telephone metadata program, the Obama administration fell back on legal arguments, claiming it did not violate international law because (1) U.S. obligations under the ICCPR to respect privacy did not apply extraterritorially, and (2) the surveillance was lawful under the ICCPR because U.S. law authorized it. The U.S. delegation to the UN used these reasons to counter German and Brazilian efforts to condemn bulk or mass surveillance targeting foreigners as a violation of the “human right to privacy in the digital age.”27 The U.S. legal arguments struck many in other countries as an expedient reading of international law permitting the NSA to conduct electronic surveillance against foreigners on a massive and intrusive scale. Further, the U.S. position meant any country could do likewise without violating international human rights law.
Sensing its legal arguments were not helping, the Obama administration tried to repair the damage. In Presidential Policy Directive/PPD-28 (January 2014), President Obama instructed the U.S. intelligence community to protect the privacy of foreign nationals in ways approximating protections U.S. nationals receive.28 Although heralded as unprecedented,29 this decision raised more concerns. First, PPD-28 used the phrase “privacy interests” rather than “privacy rights,” meaning the United States was not recognizing the privacy of foreigners as an individual right vis-à-vis U.S. intelligence activities. Second, PPD-28’s protections applied after information was collected, which did not address anger about U.S. intelligence agencies conducting mass surveillance against foreigners in the first place. Third, the attempt to accommodate “privacy interests” of foreigners after denying that U.S. behavior violated international law on privacy looked like an expedient maneuver rather than a commitment to norms embedded in the Internet freedom ideology.
The controversies over U.S. surveillance of foreign nationals also damaged U.S. foreign policy because they diverted attention from a primary target of American cyber policy—authoritarian governments—and generated scrutiny of U.S. behavior under U.S.-enunciated principles. The Obama administration’s position that
international law does not impose extraterritorial obligations with respect to the right to privacy is plausible, especially given how intelligence agencies around the world behave.30 Plausible legal arguments, though, could not obscure erosion of U.S. credibility. To many around the world, how the United States handled disclosures about its surveillance of foreign nationals revealed a gap between U.S. rhetoric about Internet freedom and the reality of American intelligence activities.
NSA Cyber Espionage against Foreign Governments
The third category of Snowden’s disclosures centers on leaks about the scale, intensity, and sophistication of U.S. cyber espionage against other governments. The leaks included information about U.S. cyber espionage against adversaries, such as China, and against friendly nations, such as Germany, Mexico, and Brazil. These disclosures damaged U.S. foreign policy in various ways. To begin, revelations about U.S. cyber espionage against China and other adversaries were not shocking, but they blunted U.S. complaints that it was under constant “cyber attack” by foreign intelligence agencies.
For example, in responding to pre-Snowden U.S. criticism about its cyber espionage, China complained it was a victim of large-scale, persistent, and skilled U.S. cyber espionage. As the Chinese noted after Snowden’s leaks began, the leaks confirmed China’s claims. Such confirmation did not generate sympathy for China, but China did not need sympathy to score strategic points. That China and the United States were perceived as engaging in the same type of intelligence activities was enough to undermine the American attempt to distinguish democracies from nondemocratic governments in terms of international cyberspace politics.
This “equivalence” effect also arose with disclosures about U.S. cyber espionage against allied and friendly governments, with Germany and Brazil in particular responding angrily. Democracies spying on democracies did not communicate the democratic solidarity supposedly animating Internet freedom. The Obama administration’s response constituted various formulations of “every country engages in espionage.” This response resonated with the desire of China, Russia, and other authoritarian countries to drain from cyberspace the “democracies v. dictatorships” trope. The leaks about U.S. cyber espionage underscored that international law does not seriously constrain state espionage, including economic espionage. This reality also reinforced equivalence among democracies and authoritarian regimes, making U.S. complaints about Chinese violations of international norms empty as a matter of international law.
The U.S. effort to distinguish traditional espionage (states spying on states) from economic espionage (states stealing intellectual property and trade secrets from foreign companies) also suffered from Snowden’s disclosures. Some leaks revealed U.S. cyber espionage meant to gain information from foreign companies in order to help U.S. trade negotiators achieve better deals for American businesses.31 Although such espionage is not what the U.S. government considers economic espionage, other countries, before and after Snowden, have proven unwilling to follow the U.S. government’s approach. The fallout from Snowden’s disclosures worsened prospects that other nations will support what the U.S. government means by “economic espionage.”
Reactions of other countries to revelations of U.S. cyber espionage included feigned umbrage that made eyes roll in intelligence agencies around the world. Behind the posturing was opportunism, as governments sensed the chance to snatch business from U.S. technology companies, such as Google, that have dominated innovation and globalization in cyber goods and services. However one views such behavior, it represents a problem for U.S. foreign policy because U.S. companies face adverse consequences from disclosures about U.S. cyber espionage.
U.S. Offensive Cyber Operations
A fourth category of leaks involves U.S. offensive cyber operations. Snowden disclosed the classified Presidential Policy Directive/PPD-20 on U.S. Cyber Operations Policy, which defined different cyber operations and established rules for their conduct.32 Among other things, PPD-20 addressed “offensive cyber effects operations,” defined as operations, other than defensive and espionage activities, the U.S. government conducts outside U.S. government networks to manipulate, disrupt, deny, degrade, or destroy computers, information, communication systems, networks, or physical or virtual infrastructure controlled by computers or information systems.33 PPD-20 revealed the U.S. government’s belief in the utility of offensive cyber operations, ordered development of offensive capabilities, and instructed executive branch agencies to identify targets for offensive cyber operations.34
In leaks about the “Black Budget” for U.S. intelligence activities, Snowden revealed that in 2011, the United States conducted 231 offensive cyber operations.35 Although this controversial disclosure relates to a period before PPD-20’s finalization, PPD-20 provides the best idea of what the intelligence community meant in reporting how many offensive cyber operations took place in 2011.
For many other governments, these disclosures confirmed what they previously believed was happening—the United States was developing intelligence and military capabilities to engage in covert and overt offensive cyber operations. Indeed, the United States had previously been identified as responsible for the covert Stuxnet cyber attack, which damaged centrifuges at an Iranian nuclear facility from 2008 through 2010.36 Creation of a new military command, U.S. Cyber Command, in 2010 signaled development of offensive military cyber capabilities and their integration with other instruments of U.S. military power.
Even so, leaks about U.S. offensive cyber operations and capabilities created problems for U.S. foreign policy. These leaks raised questions about the United States launching hundreds of offensive operations to manipulate, damage, degrade, or destroy cyber systems in other countries. How did the United States justify such operations under international law? Could this level of offensive cyber operations be reconciled with the U.S. desire for international norms of responsible state behavior in cyberspace? Through development and use of offensive cyber capabilities, was the United States contributing to the militarization of cyberspace rather than Internet freedom? Was U.S. activity a “green light” for other states to undertake offensive cyber operations with equivalent intensity and consequences?
More broadly, the leaks suggest U.S. pursuit of offensive cyber capabilities signals how seriously great powers are interested in cyber weapons and covert or military cyber attacks. The United States is leavening its material power with cyber capabilities, suggesting cyber technologies are coming of age as instruments of covert action and military force. Other countries, including China, Iran, and Russia, are moving down the same path, creating conditions for a “cybersecurity dilemma” to emerge. The United States could be fueling systemic cyber actions and reactions that reflect realpolitik more than the U.S. vision of Internet freedom.
U.S. Activities Perceived to Threaten Global Cybersecurity
The fifth category includes leaks identifying U.S. activities experts believe threaten the security of the Internet and cyberspace. Revelations about NSA efforts to manipulate encryption technologies and U.S. policies on “zero-day vulnerabilities” gained notoriety. Some of Snowden’s disclosures indicated the NSA tried to overcome or undermine encryption used to protect the security and privacy of cyber communications.37 These disclosures raised concerns that the NSA was weakening the roles encryption plays in enhancing security and privacy in cyberspace.
Similarly, Snowden’s leaks helped focus attention on how the U.S. government deals with zero-day vulnerabilities—software flaws that criminals, intelligence and law enforcement agencies, or militaries can exploit before the software vendor learns about and fixes them. The U.S. and other governments discover zero days through research and buy them from companies that hunt for such flaws.38 U.S. policy on zero days received scrutiny after Stuxnet because this attack used four zero days,39 illustrating the utility of exploiting such vulnerabilities. Retaining zero days, however, means not disclosing them to software makers, leaving users vulnerable to exploitation. Tens
ion exists, therefore, between disclosure as a way to strengthen cyber defenses and retention as a strategy for enhancing offensive cyber opportunities.
Snowden-related controversies brought more attention to U.S. policy on zero days. The President’s Review Group on Intelligence and Communications Technologies, established to make recommendations in light of Snowden’s leaks, urged U.S. policy in December 2013 to shift toward greater disclosure of zero days to improve cyber defenses, with retention “[i]n rare instances” for “high priority intelligence collection.”40 President Obama’s response to the review group’s recommendations in early 2014 did not address zero days. But questions concerning whether the U.S. government knew about the Heartbleed zero-day vulnerability in Internet security software identified in April 2014 prompted Michael Daniel, President Obama’s special assistant and cyber security coordinator, to clarify U.S. policy. Daniel stressed “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest” and important to “an open and interoperable, secure and reliable Internet[.]”41 Daniel argued, however, that not disclosing some zero days for national security purposes was legitimate, and the U.S. government used a “disciplined, rigorous and high-level decision-making process” to evaluate when to disclose or withhold zero-day information. For many, this explanation raised as many questions as it answered about how the United States balances the defensive benefits disclosure provides and the offensive opportunities retention creates.
The perception generated by the encryption and zero-day controversies and other NSA practices Snowden disclosed (e.g., malware implants, manipulating hardware) was that the U.S. government weakens cyber defenses nationally and globally when it suits U.S. national security. This perception linked with post-Snowden concerns that the United States projects its material power unilaterally in cyberspace through unrestrained surveillance, espionage, and offensive operations. Reconciling this perspective with America’s pre-Snowden emphasis on adherence to international norms in cyberspace proved difficult because the United States rejected the application of international law (surveillance of foreigners), took advantage of its absence (cyber espionage), or violated it (offensive operations).
The Snowden Reader Page 10